May 7, 2009

Security Experts Find Missile Data On Hard Drives

by ssavage

Researchers say sensitive information for shooting down intercontinental missiles as well as bank details and NHS records was found on old computers, BBC News reported.

The researchers from BT and the University of Glamorgan found that 34 percent of the 300 hard disks bought randomly at computer fairs in the UK, America, Germany, France and Australia and an online auction site still held personal data.

They noted that the information was enough to expose individuals and firms to fraud and identity theft, as they contained sensitive bank account details and medical records.

"We used standard tools to analyze the data," said Professor Andrew Blyth.

The work also unearthed job descriptions and personal identity numbers as well as data about a proposed $50 billion currency exchange through Spain.

Additionally, a disk bought on eBay was found to contain details of test launch procedures for the THAAD (Terminal High Altitude Area Defense) ground-to-air missile defense system.

The missile system is designed to destroy long-range intercontinental missiles launched by terrorists or countries the US considers to be "rogue states". It was tested as recently as March 2009 following a controversial missile test by North Korea.

The US defense group Lockheed Martin designed and built the missile system. The same computer hard disk also revealed security policies and blueprints of facilities at the group, as well as personal information on employees.

A located disk from France included security logs from an embassy in Paris, while two disks from the UK appear to have originated from a Scottish health board, the report said.

Patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters from the Monklands and Hairmyres hospitals, part of Lanarkshire health board, were found on several disks.

One disk from a US-based consultant, formerly with a US-based weapons manufacturer, revealed account numbers and details of proposals for the $50 billion currency exchange including details of business dealings between organizations in the US, Venezuela, Tunisia and Nigeria.

The results were in line with previous studies that showed 40 percent to 50 percent of second-hand disks that can be powered up contained sensitive data, according to Blyth, an expert in computer forensics and principal lecturer at the University of Glamorgan's faculty of advanced technology.

"While it's not getting worse, its not getting any better either. It's not rocket science. I could probably take somebody who is 14 or 15 years old and in a day have them doing this," Blyth added.

A majority of organizations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks, according to Dr. Andy Jones, head of information security research at BT.

"Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly," he said.

The study refers to hard disks that were disposed of in 2006.

"At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment," Lanarkshire health board said in a statement.

The statement went on to say: "In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable."

It also noted that the board had carried out a review of its policies and now no longer uses external companies to dispose of IT equipment.

Lockheed Martin was not aware of any "compromise of data" related to the THAAD program, and no government or law enforcement agency had notified it of any such loss, according to a spokesperson for the company.

The study's results will be published in the next issue of the Journal of International Commercial Law and Technology (JICLT) 2009.

It was the fourth study in a five-year project regarding Internet security and the proper protection of IT equipment.